plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

security/acme-client: Automations order in GUI is unstable; editing reorders <restartActions> (Reload before Copy)

Open Reiner030 opened this issue 4 months ago • 1 comments

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

  • [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
  • [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
  • [x] The title contains the plugin to which this issue belongs

Describe the bug When configuring many Automations (Copy-/Sent-/Reload-/Restart-*) for a certificate, the GUI does not preserve the entered order. After Save → Edit again, the list is shown in a different order. Saving again writes this unintended order back to <restartActions>, which changes the execution order and can cause Reload/Restart before Copy/Sent.

Services reload with old certificates still in place, causing short outages after renewals. Bug is very annoying since over 1,5 years but nobody seems to complain about it yet.

To Reproduce Steps to reproduce the behavior:

  1. Go to Services → ACME Client → Certificates → edit certificate.
  2. In “Automations”, add actions with desired order (e.g. all Copy/Sent first, then Reload/Restart).
  3. Save.
  4. Re-open the same certificate (Edit) → observe the list order is different (often UUID-driven).
  5. Save again (no changes).
  6. Inspect /conf/config.xml: <restartActions> CSV has been re-ordered unexpectedly. Field affected: /conf/config.xml → <OPNsense><AcmeClient>…<certificates><certificate><restartActions>…</restartActions>

Expected behavior GUI preserves and displays the user-defined order, and saving persists this order to <restartActions> deterministically. Or (by option?) the desired actions could be sorted in right order of Copy-* → Sent-* → Reload-* → Restart-* tasks; (optionally maybe also alphabetically sorted in each task)

Environment OPNsense Business 25.4.3 (commit d09a2b9cd) (amd64) Plugin os-acme-client 4.9 (model shows <AcmeClient version="4.2.0"> in config) acme.sh 3.1.1

Reiner030 avatar Sep 15 '25 08:09 Reiner030

Btw: ChatGPT was so kindly (and in this case created a working script^^) so you can also easily check it within your instance yourself if your tasks are correctly ordered:

  • acme_show_certificate_orders.sh: https://gist.github.com/Reiner030/110863ee0e7054902633daa8590caed9
  • acme_reorder_sorted_certificate_tasks.sh: https://gist.github.com/Reiner030/8583a101148636e7368afc1c428593cb

Reiner030 avatar Sep 15 '25 08:09 Reiner030